Amazon EKS

EKS Security Groups Not Configured

Risk Level: Medium

Description: 

This plugin guarantees that the EKS Cluster's security groups are set up. The EKS control plane simply requires access to port 443. Additional port access should not be added to security groups for the control plane.

About the Service :

Amazon Elastic Kubernetes Service (Amazon EKS) is a managed container service for running and scaling Kubernetes applications in the cloud or on-premises. With Amazon EKS, you can take advantage of all the performance, scale, reliability, and availability of AWS infrastructure, as well as integrations with AWS networking and security services. 

Impact : 

It's not a good idea to open all kinds of ports inside your Amazon EKS security groups since it allows attackers to use port scanners and other probing techniques to find and exploit apps and services operating on your EKS clusters.

Steps to reproduce :

  1. Log In to your AWS Console.
  2. Open the Amazon EKS console. You can use this link (https://console.aws.amazon.com/eks) to navigate directly if already logged in. 
  3. From the list of clusters available in the Clusters under Amazon Container Services, click on the Cluster name of the cluster you wish to investigate.
  4. Move to the Details tab of the cluster configuration page and then navigate to the Networking section.
  5. Click on the Cluster security group that you want to examine.
  6. In the Inbound Rules check for the Port range, if more than one port different than TCP port 443 is allowed access that means the access configuration of the security group is not compliant.
  7. Repeat the steps for other clusters as well.

Steps for remediation :

  1. Log In to your AWS Console.
  2. Open the Amazon EKS console. You can use this link (https://console.aws.amazon.com/eks) to navigate directly if already logged in. 
  3. From the list of clusters available in the Clusters under Amazon Container Services, click on the Cluster name of the cluster you wish to investigate.
  4. Move to the Details tab of the cluster configuration page and then navigate to the Networking section.
  5. Click on the Cluster security group that you want to examine.
  6. In the Inbound Rules check for the Port range, if more than one port different than TCP port 443 is allowed access that means the access configuration of the security group is not compliant.
  7. Move to the EC2 dashboard and then navigate to the Security Groups in the Network and Security.
  8. Select the security group and then move to the Inbound Rules section and click on Edit Inbound Rules.
  9. Find the inbound rules configured to allow access to ports different than TCP 443, then remove it and click on Save to apply changes.
  10. Repeat the steps for other clusters as well.

References: